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Abstract. In a previous work, the first author extended to higher-order 
rewriting and dependent types the use of size annotations in types, a 
termination proof technique called type or size based termination and 
initially developed for ML-like programs. Here, we go one step further 
by considering conditional rewriting and explicit quantifications and con- 
straints on size annotations. This allows to describe more precisely how 
the size of the output of a function depends on the size of its inputs. 
Hence, we can check the termination of more functions. We first give a 
general type-checking algorithm based on constraint solving. Then, we 
give a termination criterion with constraints in Presburger arithmetic. 
To our knowledge, this is the first termination criterion for higher-order 
conditional rewriting taking into account the conditions in termination. 



1 Introduction 

We are interested in automatically checking the termination of the combina- 
tion of /3-reduction and higher-order conditional rewrite rules. There are two 
important approaches to higher-order rewriting: rewriting on /^-normal forms 
[17], and the combination of /^-reduction and term rewriting [16]. The relation 
between both has been studied in [20]. The second approach is more atomic 
since a rewrite step in the first approach can be directly encoded by a rewrite 
step together with /3-steps in the second approach. In this paper, we consider 
the second approach, restricted to first-order pattern-matching (we do not allow 
abstractions in rule left-hand side). Following [7], our results could perhaps be 
extended to higher-order pattern-matching. 

The combination of /3-reduction and rewriting is naturally used in proof as- 
sistants implementing the proposition-as-type and proof-as-object paradigm. In 
these systems, two propositions equivalent modulo /3-reduction and rewriting 
are identified (e.g. P(2 + 2) and P (4)). This is essential for enabling users to 
formalize large proofs with many computations, as recently shown by Gonthier 
and Werner's proof of the Four Color Theorem in the Coq proof assistant. How- 
ever, for the system to be able to check the correctness of user proofs, it must 
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at least be able to check the equivalence of two terms. Hence, the necessity to 
have termination criteria for the combination of /3-reduction and rewriting. 

In Coq, rewriting is restricted to the reductions associated to inductive types 
like in functional programming languages with pattern-matching. Such reduc- 
tions correspond to constructor-based rewriting. This is the kind of rewrite sys- 
tems we are going to consider in this paper. A more general form of rewriting is 
studied in [9,6] (matching on defined symbols and matching modulo). 

Currently, Coq accepts only functions in the definition of which recursive calls 
are made on arguments that are structurally smaller. For first-order functions, 
this corresponds to restrict rewrite systems to simply terminating ones, that 
is, to the ones that can be proved terminating by an ordering containing the 
subterm relation. However, many interesting systems are not simply terminating. 
Consider for instance the following definition of division on natural numbers: 

minusOx — > 

minusxO — > x 

minus (sx) (sy) — > minusxy 

divO?y -> 

div(sx)y — > s (div (minusxy) y) 

Considering that minus is applied to strongly normalizing arguments and 
that the size of a term is the height of its normal form, one can easily prove, by 
induction on the size of t, that the size of v = (minus tu) is less than or equal to 
the size of t, hence that this definition of minus terminates: 

- If v matches the first rule, then t = and the normal form of v, which is 0, 
has the same size as t. 

- If v matches the second rule, then v has the same normal form as t. 

- If v matches the third rule, then t = st',u = su' and, by induction hypothesis, 
the normal form of v has a size smaller than t' , hence smaller than t. 

The idea of size or type based termination, initiated in [15] and developed by 
various authors for ML- like definitions [11, 22, 1-4] and rewriting and dependent 
types [8, 5], consists in extending the underlying type system by replacing a base 
type B by an infinite family of base types (B a ) aS N, a term of type B a being by 
construction of size smaller than or equal to o (except in [22], see later). Then, 
for ensuring termination, one can restrict in function definitions recursive calls 
to arguments whose size, by typing, is smaller. 

For instance, in all these systems, one can easily (type-)check that minus has 
for type something similar to Va/3N Q => N 13 => N Q . Hence, assuming that x : N Q 
and y : N' 3 , one can easily (type-)check that minus xy : ISP while sx : l\F +1 . 
Thus, the recursive call to div in the last rule can be allowed. 

Note that higher-order inductive types, i.e. types having constructors with 
recursive arguments of higher-order type, require families indexed by ordinals. 
In the present paper, we restrict our attention to first-order inductive types since 
higher-order inductive types have already been studied in previous works. Note 
also that interpreting B a by the set of terms of size smaller than or equal to a 
requires subtyping since t : B fa whenever t : B a and a < fa. 



However, without explicit existential quantifications and constraints over size 
annotations, one cannot (type-)check that the following function has type N 
VaL" 3f3j(a = 13 + 7 )L/ 3 x L^: 

pivotxnil — ► (nil, nil) 
pivot x (cons yl) — > letz = pivot a; Hn 

if (ley a;) then (consy (fst z), snd z) 
else (fstz, cons y (snd 2;)) 

Such a type is necessary for proving that some sorting functions are size 
preserving, i.e. have type VaL" =>■ L Q . To the best of our knowledge, only Xi 
considers such explicit quantifications and constraints [22]. In this work, B a is 
interpreted as the set of terms of size a. Note that, with this interpretation, 
the type of terms of size smaller than o can be represented by 3a (a < a)B Q . 
However, we cannot apply Xi's results on the problem we are interested in for 
the following reasons: 

- Xi considers ML-like function definitions based on letrec/match construc- 
tions while we are interested in definitions based on rewrite rules. 

- Xi is interested in the termination of closed terms with call-by- value evaluation 
strategy while we are interested in the strong normalization of open terms. 

- Xi has a two-level approach. He considers an intermediate system where not 
only types but also terms are annotated by size informations, and proves that 
terms typable in this system are terminating. Then, for proving the termina- 
tion of an unannotated term, he must infer the necessary size annotations, 
which may not be possible. This elaboration process is described in [21]. 

In the present paper, we extend the simply typed part of [8] with conditional 
rewriting and explicit quantifications and constraints over size annotations, with- 
out using an intermediate system. As Xi and in contrast with [8], we do not 
consider higher-order inductive types and interpret B° as the set of terms of size 
a. The integration of both works should not create too much difficulties. Hence, 
we get a powerful termination criterion for the combination of /3-reduction and 
higher-order conditional rewriting, based on type-checking and constraint solv- 
ing. To our knowledge, this is the first termination criterion for higher-order 
conditional rewriting taking into account the conditions in termination. 

In Section 2, we define a system with constrained types. In Section 3, we 
give a general type-checking algorithm based on constraint solving. In Section 
4, we present a general termination proof technique based on Tait's method 
for proving the termination of /3-reduction. In Section 5, we give a termination 
criterion based on type-checking with constraints in Presburger arithmetic. 

2 A system with constrained types 

Terms. The set T of terms is inductively defined as follows: 

teT ::= x I c | f | \xt \ U \ (t,t) | fsti | snd t | I eta; = t in t | if tthenielset 



where x £ X is a term variable, c e C is a constructor symbol and f € J 7 is a 
function symbol. We assume that C contains true and false. As usual, terms are 
considered up to renaming of bound variables. By t, we denote a sequence of 
terms t\, . . . , t n of length \t\ = n > 0. Term substitutions are denoted by a, 6, . . . 
or their explicit mappings (* ). By a + 9, we denote the substitution equal to 9 
on dom(#) and to a on dom(cr) \ dom(6>). The set V of (constructor) patterns is 
inductively defined by p E V ::= x \ cp. 

Size annotations. Let S = {nat, bool} be the set of size sorts. We assume 
given a S-sorted first-order term algebra A for size expressions a, 6, . . . whose 
variables are denoted by a, (3, . . . We assume that A at least contains the symbols 
: not, 1 : not, + : nat x nat => not, max : not x nat =>- not, t : bool and f : bool. 
For each sort s, we assume given a well-founded interpretation domain (D s , >v s ). 
For bool, we take V hoo i = {t, f}. In the following, let true* = t and false* = f; 
t* = t and f * = f; t* = true and f* = false. Elements of V s are denoted by a, b, . . . 
Valuations are denoted by fx, v, . . . Size substitutions are denoted by ip, ip, . . . 

Constraints. Let a constraint be a first-order formula over A, C be a class 
of constraints containing T and FV(C) be the variables free in C. We denote 
by \i \= C the fact that a valuation \i satisfies C; by h C the fact that, for all 
valuation \x such that FV(C) C dom(/x), [i |= C, and by C = D the fact that 
hC<S>fl. We consider constraints up to the logical equivalence =. 

Types. We assume given a set B of type names containing bool. Let Kbooi = 
bool and, for all B ^ bool, kb = nat (except bool that is annotated by booleans, 
types are annotated by natural numbers). Types are defined as follows: 

types T e T ::= B a | T => T | T x T | VaPT | 3aPT 
simple types Se§::= 3aB a | S => S | S x S 

basic types B e B ::= B a | B x B 
3-basic types E e E ::= B \ 3aPE with h 3aP 

where B S B is a type name, a € A is a size expression of sort Kb and P £ C is 
a constraint. In the following, we use the following abbreviations: MolT = VaTT 
and B = 3aB a . There is a natural transformation from T to §: let B a = 3aB a , 
3aPT = yaPT = T, T = T^U and TxU = T xU. 

Subtyping. We define a constraint-based subtyping relation. Let C h T < U 
iff h C D (\T < U\j where f\T < U\j is inductively defined as follows: 

- (\B a < B b \) = (a = b) 

- (\T <T' =>U'\) = (\T' < T\) A <\U < C/'O 

- jr x u < t x u'\) = (|t < r'D a <\u < c/'D 

- (|T < 3aP[/^ = 3a(P A (|T < f7|)) (a£T,T^ 3/3QV) 

- (\3aPU <T\)= Va(P D (|?7 < T|)) (a ^ T) 

- jr < VaPlli = Va(P D (|T < C/j) (a ^ T) 

- (\VaPU <T\) = 3a(P A <\U < T\)) (cl£T,T^ V[3QV) 

Typing. An environment is a finite mapping P from X to T. Let P, x : T be 
the environment Z\ such that xZ\ = T and yZ\ = yT \{y ^ x. Two environments 
Pi and P2 are compatible if, for all x, a; Pi = xPi- 



A type assignment is a function r : C U T — > T such that T tme = bool*, 
Tfaise = bool' and, for all s € C U J 7 , r s is closed. To every type assignment r, we 
associate a typing relation h r defined in Figure 1. Note that, in contrast with [22], 
the typing of u and v in (if) does not depend on t. This is because we consider 
strong normalization instead of weak normalization. This does not reduce the 
expressive power of the system since we consider conditional rewriting. 

A term t is typable wrt r if there are C, F, T such that h C and C; T \- T t : T. 
Let A(t) be the set of terms typable wrt r. A term t is simply typable if there are 
F, T simple such that T;F \- T t : T without (3intro), (Vintro), (3elim), (Velim), 
(sub). Let A(t) be the set of terms simply typable wrt f. 



Fig. 1. Typing rules 



, x e dom(r) secuf 

( var ) FTTTm F ( s y m b) 



C;rh T i:if w y C; F h T s : r s 

C;r,x:T\- T u:U x£T C; F h T £ : U => V C; T \- T u : U 

(abs) C;Fh T AzuiT^E/ (app) C; F h T iu : V 

C;Fh T u:F/ C;r^ T v:V 



(Belim) 



(pair) 



C;F K (u,v) :U xV 



(if) 



/r x C;Fh T t:F/xV C; F h T t : F x V 

(fSt) C;Fh T fstt:F (Snd) C7;FK snd t : V 

C; F h T t : bool C; T \- T u : T C; F K -u : F T 3-basic 
C; F \~ T if £ then it else v : T 

C; r \- T t : T C;r,x:T\- T u:U x^F 



(let) 
(Vintro) 



C;F K let a; = tinu : U 
C A P; r \- T t : T \- C D 3aP a.£C,F 



(Velim) 
(3intro) 



C; F h T t : "ia.PT 
C] F \~ T t : VaFF h C D F° 
C;rh T t:TS 
C; F h T t : T£ hCDP n ° 



C;F h T t : 3aPT 

C;r\- T t:3aPT C A P; T, x : T \- T u : U h C D 3aP a,x<£C,r,U 
C; r h T let a; = t inn : U 

C; r h T t : T ChT <T' 
(8ub) C; r \~ T t : T' 



Example 1. Consider the symbols append : Vfl-fL 13 => L 7 =>■ L^+ 7 and pivot : 
N => VoL" => 3/3 7 (a = /? + 7 )L^ x L 7 . Let P = x : N, Z : L a , u = (let 2! = tinu), 
i = pivot a;Z and w = append (fst z)(snd z). Then, T;T h t : 3/3 7 (a = /3+7)L /3 xL 7 
and a = (3 + 7 ; T, : L^ 3 x L 7 h u : L Q . Thus, by (3elim), P h u : L". 

Rewriting. Let — >p be the smallest relation stable by context containing 
the head- (3 -reduction relation —*ph defined as follows: 

(Xxu)t —*ph u* fst(u, v) —>0h u if true then u else t> —*ph u 
\eX.x = t\nu —*@h u* snd(w,w) -^>pu v if false then u else v —*ph v 

A conditional rewrite rule is an expression of the form f = cDl^r such 
that Z is of the form fZ, I are patterns, c G {true, false} and FV(r, t) C FV(Z). A 
rule Z = cDl^r defines f S if Z is of the form fZ. In the following, we assume 
given a set 1Z of rules. The associated rewrite relation is the smallest relation 
— >tz stable by context and substitution such that, for all t = c D I — > r G 1Z, 
lo — >7j to whenever to — c, where — >* is the reflexive and transitive closure of 

— >=— >p U — »7t. 

Our goal is to prove the strong normalization of — >=— >/3 U — >-r, on the set of 
simply typable terms A(t). 

Assumption: We assume that — > is locally confluent. 

Hence, any strongly normalizing term t has a unique normal form t[. Note 
that — ► is locally confluent whenever — »k so is. See [10] for general conditions 
on the confluence of /3-reduction and higher-order conditional rewriting. 

It should be noted that (3elim) makes subject reduction fail. For instance, 
with r = x : 3ahi a ,y : ValNP 3/3N 13 , we have T; T h let z = x in yz : 3/?N^ 
while yx is not typable in T;T. It could be fixed by replacing in (3elim) letx = 
t \nu by u* . It does not matter since our termination proof technique does not 
need subject reduction. Note however that subject reduction holds on simply 
typed terms. 

An example of higher-order conditional rule is given by the following defini- 
tion of filter : (N N) => VoL Q 3/3(/3 < a)l/: 

filter/ nil nil 
/ x = true D filter /(cons x I) —> cons (/ x) (filter / Z) 
/ x = false D filter /(cons xl) — > filter/Z 

3 Type-checking algorithm 

Type-checking is the following problem: given r, C, .T, t and T, do we have C 
satisfiable and C; T \- T t : T ? 

Because of the rules (3elim) and (conv), type-checking does not seem to be 
decidable. Similarly, in [22], the elaboration process is not complete. It is however 
possible to give an algorithm that either succeed or fails, a failure meaning that 



we don't know. To this end, we inductively define in Figure 2 two relations in 
the style of bi-directional type inference [12,2]. In the type inference relation 
C; P h t 1 T, C and T are produced according to P and t. In the type checking 
relation C; P h t J, T, C is produced according to -T, t and T. An actual algorithm 
is a strategy for applying the rules defining these relations. 

Let C be the closure of C by conjunction, implication, existential and uni- 
versal quantification. If one starts with C G C, then the constraints generated 
by such an algorithm are in C too. Hence, if C only contains linear inequalities, 
then C are formulas of Presburger arithmetic which is known to be decidable 
[18] and whose complexity is doubly exponential in the size of the formula [13]. 
This high complexity is not so important in our case since the terms we intend 
to consider are small (rule right-hand sides) . It would be however interesting to 
study in more details the complexity of type-checking wrt C. 

For proving the correctness of the rule (J.3intro), we need to assume that the 
size expression language A is complete wrt the interpretation domains V s , that 
is, to every o£D s corresponds a closed term a <G A whose denotation in V s is 
a. Note that this is indeed the case when V s = N and A contains 0, 1 and +. 

See Example 3 at the end of the paper for an example of derivation. 

Theorem 1. Consider the rules of Figure 2. If C; P h ? t : T , then C is satisfi- 
able and C; P h t : T . 

Proof. First, one can easily check that, for every rule, if the constraint in the 
conclusion is satisfiable, then the constraints in the premises are satisfiable too. 
Then, we prove that, if C is satisfiable and C; P h t | T or C; P h t J. T, then 
C; P h t : T. We only detail some cases. 

(|3elim) Let E = C A 3aP A Va(P D D). Since E D C and (E A P) D D, by 
induction hypothesis and weakening, E;T \- t : 3aPT and E A P; r h u : U. 
Since (E A P) D P, by (Bintro), E A P; r h u : 3aPU. Since E D 3aP and 
a <£ 3aPU, by (3elim), E; r h let x = t in u : 3aPU. 

QVintro) Let E = 3aP AVa(F D C). Since (E A P) D C, by induction hy- 
pothesis and weakening, E A P; r h t : T. Since E D 3aP, we can conclude 
by (Vintro). 

(|Velim) Let E = C A P°. By induction hypothesis and weakening, E;T h t : 
VaPT. Since E D P™, we can conclude by (Velim). 

(J.3intro) Let E — 3a(C A P). Since E is satisfiable, C is satisfiable too. By 
completeness, there is a such that F = C° A P° is satisfiable. By induction 
hypothesis, C;P h t : T. By substitution and weakening, P;P h t : T£. Since 
F D P£, by (3intro), P; P h t : 3aPT. Since E D P, we can conclude by 
weakening. 

(|3elim) Let E = C A 3aP A Va(P D D). Since P D C and (PAP) D D, by 
induction hypothesis and weakening, P; P h t : 3a.PT and P A P; P h u : [/. 
Since P D 3aP and ol £ U, by (3elim), P; P h let a; = t in u : U. □ 



Fig. 2. Rules for deciding type-checking 



D;Tht IT h C D D C satisfiable 
(type-check) — - p - ■ 



x £ dom(r) 

(Tv-) T;rh ,|J r (Tsymb) T; P h s T r s 

c ; ri-tt c=>^ D ; ri-w4?7 

(Tapp) — 



(Tpair) 



c a D; r h to t v 

C A D; r \- (u,v) 1 U x V 



C;r\-t1 U xV C;T h t T U xV 

(Tfet) C;PhfstttP (tSnd) C;rhsndt T V- 

C; T I- t T T D;T,x :T\- ul U 

(Tlet) 



(TVelim) 



C A D; T h let x = t in u | 17 
C; T h t T VaPT a g C, P 



(T3elim) 



(Iif) 



CAP;Tht |T 

C;T h t t 3aPT P; P, a; : T h u | P x £ T a ^ C, P 
C A 3aP A Va(P D P); P h let a; = t in u f 3aPP 

C;r,^:Th«I[/ sjP 
UabS) C; P h Arm j T ^ P 

C;P htl3abool Q D ; ri-ii|T P; P h « j T T 3-basic 
C A P A P; P h if t then w else v [T 

C; r h t I T air 



(IVintro) 



(IVelim) 
(|3intro) 



3aP A Va(P D C); P h t | VaPT 
C; P h £ T VaPT 



CAP5;PhUTS 
C; P h U T a ^ P 



(|3elim) 



3a(CAP);Pht|3aPT 

C; P h t T 3aPT D; T,x : T \- u [ U a(£C,r,U 
C A 3aP A Va(P 5 P);P h let a; = tinu | U 

C;P h t T T' 



(|sub) 



C A (\T' < T|);P h t | T 



4 Termination proof technique 

In this section, we present a general method for proving the strong normalization 
of /3-reduction and rewriting on well-typed terms. It is based on Tait's method 
for proving the strong normalization of /^-reduction [19]. The idea is to interpret 
types by particular sets of strongly normalizing terms, called saturated, and 
prove that every well-typed term belongs to the interpretation of its type. 

Following [2], we define the weak-head-(3 -reduction relation —>p w h as the re- 
lation such that E[t] -^p w h E[u] iff t -^ph u and E G £, where the set of 
elimination contexts £ is inductively defined as follows: 

E e £::=[} \ Et \ fst E | snd E 

Definition 1 (Saturated sets). The set SAT of saturated sets is the set of all 

the sets of terms S such that: 

(1) IfteS, then t G SN. 

(2) IfteSandt^ t' , then t' G S. 

(3) IfE[x] G SN, then E[x] G S. 

(4) Ifte SN, t ->f3h f and E[t'] G S, then E[t] G S. 
We also define the following operations on sets of terms: 

- Si => S 2 = {* e T | Vu e 5i, tu e S 2 } 

- Si x S 2 = {t e T | fsti g Si A snd t e S 2 } 

LetAf be the set of terms of the form ft, if t then u elseu, fst t or snd t. A saturated 
set S has the neutral term property if s € S whenever s S AT and —*(s) C 5. 

Lemma 1. SAT is a complete lattice for inclusion with [J as lub, f] as gib and 
SN as greatest element. It is also stable by => and x . 

All this is more or less well known. See for instance [2]. The key difference 
with the first author work [8] is that we use saturated sets instead of reducibil- 
ity candidates. See [14] for a comparison between the two kinds of sets. With 
reducibility candidates, (4) is replaced by the neutral term property. 

Reducibility candidates are saturated but the converse does not hold since 
candidates are not stable by union. Hence, with candidates, 3a.PT cannot be 
interpreted as an union, which is essential if one wants to interpret B a as the set 
of terms of size a in order to give precise types to function symbols. 

However, reducibility candidates extend well to rewriting and polymorphism 
since, for proving that ft G 5, it suffices to prove that — >(ft) Q S. In Lemma 
2, we prove that this property still holds with saturated sets when S is the 
interpretation of an existentially quantified basic type. 

Definition 2 (Interpretation of types). A base type interpretation is a func- 
tion I which, to every pair (B, a) with B ^ bool, associates a set ig € SAT. We 
extend I to bool by taking I£ oo] = {t G SN | t[ ^ a*}. Given such an interpreta- 
tion, types are interpreted by saturated sets as follows: 



- P x V\l = [U]l x 

- P V]£ - [PJ 7 , =* mi 

- IVaPTJl = n^^pinU^ if l-3aP, [VaPP] 7 , = SN ofteiwe 

- paPTg = U M+ r NP [Tl^ + . if h3aP, [BaPTg = f|SAT otherwise 

Lei Jg = paB"]. ^4 symbol s G CUP is computable i/s € [ts] 7 - ^4 pair (/U,<r) is 
valid /or C; P, written (/U, cr) |= C;P, «/ /i |= C and, /or a// x G dom(P), xer G 
[xP] 7 . A base type interpretation I is valid if every constructor is computable 
and, for every 3-basic type T , [P]^ has the neutral term property. 

Note that i£ od e SAT has the neutral term property and p>]£ = [P]^- 

Theorem 2. Assume that I is a valid base type interpretation and every f G T 
is computable. If C; P h t : T and (/z, a) |= C; P, tften tcr G [P]^. 

Proof. By induction on C;P h t : P. We only detail some cases. 

(abs) We must prove that s = (\xu)<r G [P => PH. Wlog, we can assume that 
a; £ <t. Then, s = Ax(uer). Let t G [T]£. We must prove that si G [P]^. By 
induction hypothesis, wct G [P]£. Let now ct' = cr+^.. Since (/U, <r') |= C;P, x : 
P, by induction hypothesis, ucr' G [P]£. Hence, si G SN since, by induction on 
(u<j,t) with — >i cx as well-founded ordering, — >(si) C SN. Therefore, si G [P] 7 
since si ^/jh uu' G [P] 7 and si G SN. 

(if) Let s = (if ithen Melsew)cr. By induction hypothesis, to G I^ 00 | and ij<7 G 
[PH. Since s G M and P is an 3-basic type, by the neutral term property, it 
suffices to prove that — >(s) C [P] 7 . This follows by induction on (tcr, ucr, va) 
with ^iox as well-founded ordering. 

(3elim) We must prove that s = (let a; = t in u)a G [P]„- Wlog, we can assume 
that x ^ a. Then, s = letx = ta'mua. Let a' = cr* cr . By induction hypothesis, 
to- G paPP]£. Since h C D 3aP, there is a such that /!+£ |= P and 
tcr G [P]^+a • Therefore, by induction hypothesis, ua' G [P]^+a = [P]^- 

(sub) By induction on P and P', one can easily prove that [P] 7 C [P] 7 when- 
ever n \= (\T < Pp. ' □ 

Corollary 1. Assume that I is a valid base type interpretation and every f G T 
is computable. Then, —> is strongly normalizing on A{t). 

Corollary 2. Assume that, for all s G C UP, r s is o/ ifte form T => VaB a => P 
wii/i T simple, B basic and T an 3-basic type. If every symbol is computable, 
then — > is strongly normalizing on A(t). 

Proof. It suffices to prove that, for all s, s G [tT] 7 . We have = T => B P. 
Let t G [T] J and m G . We must prove that Uu G [P] 7 . There is a/n such that 
u e 1^. Assume that P = V£PP. Since f : T => Vc*B a =^> P is computable, 
Uu G [P] 7 = U^+^plPH^+f Let zv = fi+ d s \= P. We are left to prove that 
\B\l C fB] 7 . We proceed by induction on B. □ 



5 Termination criterion 



We now provide conditions to obtain the computability of defined symbols. 

A precedence is a quasi-ordering > whose strict part > = > \ < is well- 
founded. Let ~ = > n < be its associated equivalence relation. We assume given 
a precedence >g on8 and a precedence >^ on J. We are going to define some 
base type interpretation and prove that every function symbol is computable by 
induction on these precedences. 

Assumption: For all c G C, we assume that r c is of the form 1 C =^ VaB a => 
B a with C < B B, B ~ B B, a = if \a\ = 0, and a = 1 + max(a) if \a\ > 0. 

Example 2. The type N of natural numbers has constructors : N° and s : 
Val\P => N Q+1 . The type L of lists has constructors nil : L° and cons : N => 
VoL" => L Q+1 . The type T of binary trees has constructors leaf : N =>■ T° and 
node : Va/3T Q J fi j^+max( a ,0) _ 

We define the base type interpretation as follows: 

- Jg = {t G SN | Vc : C => VaB a => B a , Vtu, |t| = |C| A |u| = \a\ A 
t -►* ctu => t G I£ A \a\ = a = 0} 

- ^b +1 = {* e SN | Vc : C => VaB a B a , Vtu, |t| = |C| A |u| = \a\ A 
t ->* ctu => t G Ig A a = 1 + moifa) A (3b) o = max(t)) A u G Jg} 

Lemma 2. I is a valid base type interpretation. 

Proof. One can easily check that Ig is saturated and that every constructor is 
computable. We now prove that [T]^ has the neutral term property whenever 
T is 3-basic. 

We first remark that, if t G SN and t — »* t' G Jg, then i G Jg. We prove it 
by induction on (B, a) with (>b, >v„ b )\cx as well-founded ordering. Let c : C 
VaB a B a , t and it such that \t\ = |C|, |u| = \a\ and t — >* c£m. By confluence, 
t' — >* ct'u' with tu — >* t'u' . We proceed by case on a. 

- a = t. Then, t' y4* false. Hence, t /»* false and t G 7g. 

- a = f. Idem. 

-0 = 0. Since t' G Jg, t' G /£ and |<*| = a = 0. Since C < B B, by induction 
hypothesis, * G I£. Thus, i G 7g. 

- a > 0. Since i' G Ig, i' G i a = 1 + max{a) and there are b such that 
a = l+max(b) and u' G Ig. Since C <b B and b < a, by induction hypothesis, 
t £ Iq and u G Jg. Thus, i G Jg. 

Let now T = 3aPB be an 3-basic type. We have S = U^+» |=p[^]p+« • We 
first prove that there are a such that v = |= P and — >(s) C S" = [-B]£. 

If — >(s) = 0, this is immediate. So, assume that there is t G — >(s). Since t G 5, 
there are a such that f = \= P and t G <S" = Let now u G — >(s). By 



1 The order of types is not relevant. We take this order for the sake of simplicity. 



confluence, there is v such that t, u v. Since t G S' , we have v G S' . Thus, 
u e S" too. Hence, -y(s) C S". 

We now prove that s G S" whenever — »(s) C 5" by induction on B. □ 



Fig. 3. Matching constraints 



(1) a = e x ;x : B Ea= x : B" 

c : T => B° B / bool c : bool c * 

) — C2'1 

; a = 0;cc : T ~» ex : B Q v y a = c*; ~> c : bool a 

c : T ^ \faB a ^ B 1+max(a) a = a; T ~» u : B a a ^ a 
x : T, r are compatible 
a = 1 + max(a);x : T,T ~» era : B a 



Lemma 3. FFe assume given an injection e from term variables to size variables. 
Consider the rules of Figure 3. If a — a; T ^ t : B a and to G 7g M , then there is 
v such that (fj, + u,a) \= a = a; r. 

Proof. We say that a is minimal for t G [B] w if t G [B] a and, for all b < a, 
t £ lBJ b . We prove the lemma by induction on a — a; r ^> t : B a with the 
additional requirement that v is minimal whenever fj, so is. 

(1) It suffices to take e x v = ap. 

(2) and (2') It suffices to take v = 0. 

(3) We have to = cxaua. Thus, /j, is minimal, xa G [T] and there is p! minimal 
such that iter G J B M and a/j, = 1 + max(afi / ). Now, by induction hypothesis, 
there are f minimal such that (// + i/, <r) |= a = a; J 1 . Since f are minimal, 
if xa G Iq".^' (~1 J , then e x Vi — e x Vj. Thus, we can define v = Su. Since v 
is minimal, we are left to prove that (/x + v, a) \= a = 1 + max(a); r. First, 
we have fj, + u\=a = l + max(a) since ctfi = 1 + max(ap') = 1 + max(av). 
Second, let x G Uj. Then, xer G [x.T]£. = [xr]^. □ 

Theorem 3 (Termination criterion). j4ss«me iftai, /or every f G T : 

(1) Tf is of the form T VaB a => T wii/i T an 3-basic type; 

(2) there is a constraint (/3 <f a) smc/i i/iai i/ie ordering >-f defined by atfi /3/x 
iff t 1 \= <f ot is well-founded; 

(3) for every g f, r g is o/ ifte /orm J7 => VaB a =>• [/ and <f=< g ; 
and, for every rule t = cDl->r defining f ; 

Z is o/ ifte /orm f:rZ wii/i |x| = |T| and \l\ = \a\; 

(5) there are r compatible and a such that a. = a;T ~> I : B a ; 

(6) every symbol occurring in r is f; 



(7) a = a;x:T,r\- T <t: bool 6 ; 

(8) d = c> = a;i:r,rh f <r:T. 
where: 

(9) for every g f, r< = T g ; 

(10) for every g f , = U => Va'(a' <f a)B a U with a 1 £ a whenever 
r g = U^ Va'B a ' => [/. 

Then, —> is strongly normalizing on A(t) and A(t). 

Proof. We must prove that, for all f : T Vc*B a T,t E [T], zz and it € J^, 
fte £ PI*. We proceed by induction on (f, a/z, tu) with (>jf, >-f , — >i e x)iex as 
well-founded ordering. By Lemma 2, it suffices to prove that — *-(s) C S. If the 
reduction takes place in tu, we conclude by induction hypothesis. Assume now 
that there are fxl -> r 6 K and u such that xu = t and lu = u. We must 
prove that ru G [T]£. After Lemma 3, since r are compatible, there is v such 
that [p, + v, a) \= a = a; r. By induction hypothesis, for all g <r f,g£ [t<] 
(considering a as constants interpreted by a/i). Thus, letting rj = /i + v, by 
Theorem 2, we have tu G ^ooi- Since tu —>* c G I^ QO \, we have br\ = c**. Thus, 
77 |= b = c* and, by Theorem 2 again, ra G [T]^ = [T]*. □ 

The size variables a in the type of f (1) represents the sizes of the recur- 
sive arguments of f . The user-defined predicate <f in (2) expresses the measure 
that must decrease in recursive calls. One can for instance take lexicographic or 
multiset comparisons together with linear combinations of the arguments. The 
condition (5) provides the constraints on a when a term matches the rule left 
hand-side I = fxl. The condition (7) implies that the terms t are terminating 
whenever the arguments of the left hand-side so are. The condition (8) implies 
that the right hand-side is terminating whenever the arguments of the left hand- 
side so are and t — ►* c. The fact that t — >* c is expressed by the additional 
constraint b = c*. Termination is ensured by doing type-checking in the system 
h T < where, by condition (10), function symbols equivalent to f can only be ap- 
plied to arguments smaller than a in <f. This is in contrast with [8] where a 
new type system (called the computability closure) restricting the use of (app) 
must be introduced. 

Example 3. We detail the criterion with the second rule of pivot given in the 
introduction. Let r be the right-hand side of the rule and u (resp. v) be the first 
(resp. second) branch of if in r. 

We take pivot : N VoL" => T(a) with T(a) = 3(3j(a = + 7 )L^ x V, 
< f = <, H = > N and le : N => N => bool. Let T = y : N, I : I s and A = x : N, T. 

Matching constraint: a = 5 + 1; J 1 ~» consy I : L" (we take £/ = S). 

We must check that a = 5+ I; A h r : T(a) with pivot : N => Va'(a' < 
a)L a ' => T(a'). Let A = r, z : L 3 x \J . 

One can easily check that 5 < a; r h pivotxi | T(S), T;A h \eyx | bool, 
T; A h u t L^ 1 x LT, T; A h v | I 13 x L^ +1 . 

Thus, by Qsub), (3 + 1 = f3' A 7 = 7'; A h u | L' 3 ' x V' and /? = 13' A 7 + 1 = 
7';Z\hw| L' 3 ' x Lt'. 



By (|3intro), D;A\~u[ T(a) where D = 30' 7' (0 + 1 =/?' A 7 = 7' Aa = 
0' + l'), and E;A h v j T(a) where £ = 3/?V(/3 = 0' Af+1 = fAa = /3' + 7 '). 
Note that D = E = (a = + 7 + 1). 

By (|if), a = + 7+1; A\- if (ley x) then u else w : T{a). 

By (|3elim), F;_Thr| T(a) where F = S < aA(30j(a = /3 + 7 ))A(V/37(6 = 
+ -/D a =/3 + 7 + l)). 

Therefore, a = (5 + l;Zihr : T(a) if h a = 5 + 1 D F, which is true. 

Example 4- Consider the following definition of Mc Carthy's 91 function: 

lex 100 = true 3 fn f (f (plus x 11)) 
lex 100 = false D fx — > minusxlO 

We assume that A contains le : nat x nat => bool interpreted as expected. 

We assume that le : Va/3N" N' 3 ^ bool /e( "' /3) , plus : Va/3N Q ==> 
l\P+^, minus : Va/3N" ^ 3 7 PNT with P = (« < /3 A 7 = 0) V (a > A 

a = + 7), and f : VaISP 30QN 13 with Q = (a < 100 A = 91) V (a > 100 A 
a = + 10). Taking E — x : IM Q , we get that T ; rh lex 100 : bool ie(a ' 100) . The 
condition le(a, 100) = t is equivalent to a < 100, hence the termination. 

6 Conclusion and future work 

We extended the simply typed part of [8] with conditional rewriting and explicit 
quantifications and constraints over size annotations. This allows to precisely 
describe the relation between the size of the output of a function and the size of 
its inputs. This also provides a powerful termination criterion for the combination 
of /3-reduction and higher-order conditional rewriting, based on type-checking 
and constraint solving. To our knowledge, this is the first termination criterion for 
higher-order conditional rewriting taking into account conditions in termination. 
We plan to extend this work in various directions: 

- As in [22], we did not consider constructors with recursive arguments of 
higher-order type since this is already studied in [8]. The integration of both 
works should not create too much difficulties. We already have preliminary 
results in this direction. 

- The complexity of Presburger arithmetic is high. Although it is not so impor- 
tant in our case since the constraints we consider are small (rule right-hand 
sides are generally not very big terms), it would be interesting to study the 
complexity in more details, depending on the allowed size annotations. 

- Our long term goal is to extend the present work to polymorphic and depen- 
dent type systems that serve as basis for proof assistants like Coq, e.g. the 
Calculus of Algebraic Constructions [9]. 

- We assume that constrained types of function symbols are given and check 
that they imply termination. It would be very interesting to infer these con- 
straints automatically. 
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